http://www.wired.com/news/infostructure/0,1377,57229,00.html
By Brian McWilliams
Jan. 16, 2003
A wisecracking group of hackers confirmed its claim this week that it
spread an antipiracy virus was nothing but a hoax aimed at garnering
fame.
But members of the group, known as Gobbles Security, conceded that a
program it released to demonstrate the problem was a Trojan horse
capable of destroying files on the computers of unwary Unix users.
Experts said the bizarre incident, which caused a brief frenzy among
some security firms and fans of music file sharing, follows a grand
tradition of pranks by the playful hacking group.
"I think that the latest Gobbles advisory is genius," said Dave Aitel,
head of Immunity Security, a security software and services provider.
"Gobbles takes the piss out of all of us, and we need to respect and
appreciate that."
Gobbles' advisory said the Recording Association of America had
contracted the hacking group to develop a hydra-like computer worm
that has already spread widely by exploiting security vulnerabilities
in several popular music programs.
Gobbles claimed the antipiracy tool enabled the RIAA to create
infected MP3 music files and distribute them through file-sharing
networks, compromising and cataloging the infected systems.
In an e-mail interview, Gobbles representatives admitted that they
fabricated the RIAA claim to get attention.
"The only excuse we can offer for our immaturity is that we like the
fame," they said.
An RIAA spokesperson also said Gobbles' claim that it's working for
the trade association was a hoax, but the representative declined to
comment on RIAA's technology-based antipiracy efforts.
However, a security flaw described in the Gobbles warning was very
real, according to Michael Hipp, developer of mpg123, a Unix-based MP3
player cited in the advisory.
Included with the Gobbles advisory was source code to a hacking
program that exploits the security bug. The use of mpg123 to play
special MP3 files created by the hacking program will delete files on
the user's computer with the Unix command "rm -rf," Gobbles
acknowledged.
"If anyone was dumb enough to lose data because of this, they deserved
it," wrote Gobbles representatives in an e-mail, which also noted that
the program warned users before deleting their files.
Dan Ingevaldson, an R&D manager at Internet Security Systems said
Gobbles is "kind of an enigma" and is known to distribute both serious
and frivolous advisories. But Ingevaldson said he always enjoys
reading the group's bulletins, even though they sometimes poke fun at
ISS.
But to some in the security business, Gobbles' pranks and long-winded
advisories -- often written in faux broken-English and containing
diatribes about the industry -- have become tiring.
"It's just a big waste of everyone's time.... It's about as useful as
a bag of flaming dog doo on your doorstep," said Ryan Russell, author
and former moderator of the Vuln-Dev security mailing list.
Indeed, Gobbles' haughty attitude has made the group the target of
recent attacks, especially after a Gobbles leader, who uses the alias
Nwonknu, ridiculed members of the security industry in a rambling
keynote address in August at the annual Defcon hacker convention in
Las Vegas.
The following month, a computer allegedly owned by Nwonknu was hacked,
and some of its contents were anonymously posted to Full-Disclosure, a
security mailing list, from the e-mail account
bastedturkeyat_private
Then in October, someone forged hundreds of nonsensical messages to
the list with the subject line "Poot ze-a cheekee in de-a oofee!" from
Gobbles' e-mail address. The incident caused some list participants to
call for a blockade of e-mails from the group.
But some security experts said Gobbles' technical prowess gives the
group a platform as the voice of conscience for the security industry.
Mark Litchfield, co-founder of NGSSoftware, said he put up $275 in
response to a public request last August by Gobbles for help with
airfare to Defcon.
According to Litchfield, Gobbles "knows (its) stuff" and shares its
findings with the security community "instead of keeping all (its)
advisories/exploits and sharing them privately with the black-hat
community, which I would feel is a greater threat."
In a jab at SecurityFocus, the Symantec-owned security firm that
operates the popular Bugtraq mailing list, Gobbles registered the
domain Bugtraq.org in 2001. Due to an apparent spate of attacks on the
site (archived here), Gobbles' advisories have been mirrored at a site
hosted by Aitel. According to Aitel, who said he has no other
involvement with the group, Gobbles helps to keep the security
industry's "huge egos" in check.
"Gobbles teaches everyone the valuable lesson that no matter how elite
we are, how rich we are, how many three letter agencies we have
contracts with, how much of the Fortune 500 relies on us to keep their
systems secure, someone out there is giggling at us," said Aitel.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.